Yesterday Apple released emergency security updates to address two zero-day vulnerabilities (CVE-2023-42916 and CVE-2023-42917) that have been exploited by hackers to access sensitive information on Apple devices and/or to execute arbitrary code by using malicious webpages to take advantage of a memory corruption bug.
The list of impacted devices includes:
- iPhone XS and later
- iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
- Macs running macOS Monterey, Ventura, Sonoma
Michael Covington, vice president of Portfolio Strategy at Apple device security and management company Jamf, is urging users to patch immediately. Here’s a statement he shared with Apple World Today:
Apple’s latest OS updates — which include iOS 17.1.2, iPadOS 17.1.2 and macOS Sonoma 14.1.2 — contain important security content to address zero day threats that are putting users and organizations at risk. Jamf is advising our customers to treat these updates as critical and update immediately.
The patches, which are provided as OS updates and not Rapid Security Responses, address reports of active exploits against previous versions of both Apple’s mobile and mainstream operating systems.
These latest OS updates, which address bugs in Apple’s WebKit, show that attackers continue to focus on exploiting the framework that downloads and presents web-based content. The latest bugs could lead to both data leakage and arbitrary code execution, and appear to be tied to targeted attacks that are common against high-risk users.
Despite these vulnerabilities being actively exploited, Apple continues to rapidly respond to address product issues. In addition to maintaining their own monitoring mechanisms to detect malicious activity, Apple collaborates with researchers in the community and runs an active bug bounty program.
Though these patches validate that Apple devices are not immune to cyber threats, the patching process is helping to reduce the attack surface. Now that the patches are issued, it is up to users, and organizations that utilize Apple devices for work, to update their devices and monitor for compliance to ensure that all critical devices are no longer vulnerable as soon as possible.
